Method and apparatus for finite field multiplication

ABSTRACT

A method of computing the product D of two finite field elements B and C modulo an irreducible polynomial f 1 (x), wherein the finite field elements B and C are represented in terms of an optimal normal basis (ONB) of Type 1 over a field F 2     n    and the irreducible polynomial f 1 (x) being of degree n, which comprises the steps of representing the element B as a vector of binary digits b i , where b i  is a co-efficient of an i th  basis element of the ONB representation of element B, in polynomial order, representing the element C as a vector of binary digits c i , where c i  is a co-efficient of an i th  basis element of the ONB representation of element C, arranged in polynomial order, initializing a register A, selecting a digit c i  of vector C, computing a partial product vector A of the i th  digit c i  of the element C and the vector B, adding the partial product to the register A, shifting the register A, reducing the partial product A by a multiple f 2 (x) of the irreducible polynomial f 1 (x) if bits in a position above n are set, storing the reduced partial product in the register A, repeating for each successive bit of the vector C and upon completion the register A containing a final product vector; and reducing the final product vector A by the irreducible polynomial f 1 (x) if an n th  bit of the register is set. The reduction step by the multiple of the irreducible polynomial simply involves a shift operation performed on the partial products.

[0001] The present invention relates to a method and apparatus formultiplying elements of a finite field, and in particular formultiplying elements of a finite field in a processor having limitedcomputation capability, such as a smartcard and wherein suchcomputations are part of a cryptographic system.

BACKGROUND OF THE INVENTION

[0002] Arithmetic in finite fields is used extensively in applicationssuch as coding-theory and cryptography. Cryptographic systems, inparticular, make extensive use of modular arithmetic. Makingcalculations modulo n is like performing normal arithmetic in that it iscommutative, associative and distributive. Modular arithmetic is alsoeasier to work with since the ranges of intermediate values and resultsfor addition, multiplication and subtraction are restricted. This is ofparticular importance when the computations implemented on a processorwhich has limited register length and speed.

[0003] In modular arithmetic, the set of integers modulo m is denotedF_(m)={0, 1, 2, . . . m−1}. When m is a prime number p, then the set ofintegers modulo p, F_(p), forms a finite field in which we can performoperations of addition, multiplication and subtraction. Furthermore, ifF_(p)={0, 1, 2, . . . p−1} and C_(i) is an element of F_(p), then theset of polynomials in x with coefficients from F_(p) isF_(p)[x]={cnX^(R)+ . . . +co|ci εF_(p), n≧0}.

[0004] As defined above, where the arithmetic is performed modulo aprime integer p, cryptographers may also use arithmetic modulo anirreducible polynomial f(x) of degree n whose coefficients are integersmodulo q, where q is prime. These fields are designated symbolically byF(q^(n)). Thus all arithmetic is done modulo some f(x) which is anirreducible polynomial of degree n and in which the coefficients of thepolynomial are elements of a finite field. If q is equal to 2, thencomputation in F(2^(n)) can be quickly implemented in hardware withlinear feedback shift registers. For that reason, computation of aF(2^(n)) is often quicker than computation over F(p).

[0005] The values of n which make a feasible cryptographic system tendto be relatively large. Finite fields used in cryptography are typicallychosen from those with characteristic two, since these lend themselvesto binary hardware and processors. A further specialization of the fieldof characteristic two are those having an optimal normal basis, eitherof type I or II. Bases of type I which are optimal normal bases have thecharacteristic that the coefficients of a polynomial expressed in termsof a polynomial basis are the permuted coefficients of the polynomialexpressed in terms of a normal basis.

[0006] A finite field may be constructed from a generating element a andis composed of a vector space of the powers of a modulo the irreduciblepolynomial f(x) of degree n. For example F₂ ³ has the followingelements: 0, 1, x, x+1, x², x²+1, x²+x, x²+x+1. The component powers ofa can then be reduced to degree less than n with the irreduciblepolynomial. These components are called the basis and for a field overthe binary field of two elements, the coefficients of the basis aresimply zeros and ones. If the resulting n-tuple of coefficients isordered corresponding to the sequence a⁰, a¹, . . . a^(n−1), then thefield has been represented in polynomial order. If instead thecoefficients are ordered to correspond to the sequence a² ⁰ , a² ¹ , . .. , a² ^(a−1) (when these powers are of normal basis for the finitefield) then the representation is in normal basis order. However when inpolynomial order we will denote the basis elements in terms of apolynomial in x. This representation has several advantages for hardwareimplementation and is more fully described in UK patent applicationGB2,176,325.

[0007] For implementation on a binary processor, the components aretypically distributed across several processor words (which can beconsidered as a multi-word register), since a single processor word isnot sufficient to hold all components if the length of the finite fieldis even moderately large. The length of these registers will exceed onehundred bits even for efficient elliptic curve crypto-systems. Smartcardsystems are typically very memory poor (at least for RAM memory) andthis invention stems from (but is not limited to) the work of theinventors to implement public key systems in such environments. Theprocessors available in such systems are typically also not highlypowered, so it is also of importance to develop efficient methods thatcan be useful in that environment.

SUMMARY OF THE INVENTION

[0008] This invention seeks to provide a method of multiplying finitefield elements on a processor with limited processing capability, suchas smartcard or the like.

[0009] In accordance with this invention there is provided a method ofdetermining the product of two finite field elements B and C modulo anirreducible polynomial f₁(x) wherein the finite field elements B and Care represented in terms of an optimal normal basis of type I for afield size n over the binary field and having an irreducible polynomialf₁(x) of degree n, the method comprising the steps of:

[0010] a) representing the element B as a vector of binary digits b_(i),where b_(i) is the coefficient of a^(2′)in an optimal normal basis oftype I representation of B and where the b_(i)'s are in polynomialorder;

[0011] b) representing the element C as a vector of binary digits c_(i),where c_(i) is the coefficient of a^(2′) in an optimal normal basis oftype I representation of C and where the c_(i)'s are in polynomialorder;

[0012] c) representing the partial product A of an ith component b_(i)of the element B and the element C as a vector of binary digits d_(i);

[0013] d) reducing the partial product A by a multiple f₂(x) of theirreducible polynomial f₁(x);

[0014] e) adding to the reduced partial product of step d) the partialproduct of a successive component b_(i−1) of B and the element C;

[0015] f) repeating steps d) and e) for successive ones of the binarydigits of B;

[0016] g) testing the topmost bit of the partial product A;

[0017] h) reducing the element A by the irreducible polynomial f₁(x) ifthe topmost bit is set whereby A represents the product of the twofinite field elements B and C modulo f₁(x).

BRIEF DESCRIPTION OF THE DRAWINGS

[0018] Embodiments of the invention will now be described by way ofexample only with reference to the accompanying drawings in which:

[0019]FIG. 1 is a flowchart showing the multiplication of two finitefield elements;

[0020]FIG. 2 is a block diagram of a multiplier to implementmultiplication of two elements in the field F(2^(n)); and

[0021]FIG. 3 is an example illustrating a squaring operation.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT

[0022] The following discussion provides an outline of polynomialmultiplication modulo an irreducible polynomial f₁(x). Multiplication oftwo finite fields is commonly made by choosing one of the two elementsto be the multiplier, and the other element to be the multiplicand. Thecomponents of the multiplier (in analogy to the digits of amultiplication of numbers using longhand) are used to scale themultiplicand, which is shifted by the position of the multipliercomponent concerned, and the results added together in partial products.The multiplication of binary polynomials in entirely analogous, exceptthat carries between positions are not involved, and where componentwise additions consists of simple exclusive OR's. Components of themultiplier may be used in any order to compose partial products;typically they are used in ascending (or sometimes descending) order asillustrated in the following example where polynomials B and C to bemultiplied may be represented as follows:

B=x ⁴ +x ³ +x ¹ +x ⁰  (1)

C=x ³ +x ² +x ⁰  (2)

[0023] Simply taking the coefficients of the polynomials and performinga multiplication thereon $\begin{matrix}1 & 1 & 0 & 1 & 1 \\\quad & 1 & 1 & 0 & 1\end{matrix}$ $\overset{\_}{\begin{matrix}\quad & \quad & \quad & 1 & 1 & 0 & 1 & 1 \\\quad & 1 & 1 & 0 & 1 & 1 & \quad & \quad \\1 & 1 & 0 & 1 & 1 & \quad & \quad & \quad \\1 & 0 & 1 & 0 & 1 & 1 & 1 & 1\end{matrix}}$

[0024] to produce the result

A=x ⁷ +x ⁵ +x ³ +x ² +x ¹ +x ⁰  (3)

[0025] When two polynomials are to be multiplied modulo anotherpolynomial (the irreducible polynomial in the case of finite fields)then a reduction with that polynomial is performed to achieve the finalresult. This reduction may be made to the final result, or to componentsof the partial products. If the irreducible polynomial is

f ₁(x)=x ⁴ +x ³ +x ² +x ¹ +x ⁰  (4)

[0026] then the binary representation of its coefficients is 11111. Toreduce the results (or intermediates), multiples of the irreducible aresubtracted from the result (or intermediates) until the degree isreduced below n, the degree of the irreducible. In the case ofcharacteristic two this operation is identical to addition. The result Aof equation (3) may be reduced using the polynomial (4), producing theresult $\begin{matrix}1 & 0 & 1 & 0 & 1 & 1 & 1 & 1 \\1 & 1 & 1 & 1 & 1 & \quad & \quad & \quad \\\quad & {1\quad} & 0 & 1 & 0 & 1 & 1 & 1 \\\quad & 1 & 1 & 1 & 1 & 1 & \quad & \quad \\\quad & \quad & 1 & 0 & 1 & 0 & 1 & 1 \\\quad & \quad & 1 & 1 & 1 & 1 & 1 & \quad \\\quad & \quad & \quad & 1 & 0 & 1 & 0 & 1 \\\quad & \quad & \quad & 1 & 1 & 1 & 1 & 1 \\\quad & \quad & \quad & \quad & 1 & 0 & 1 & 0\end{matrix}$

 A=x ³ +x ¹  (5)

[0027] When performing reductions at each stage of building the partialproducts, it is efficient to compose the partial products using thecomponents of the multiplier in descending order.

[0028] Referring to the flowchart of FIG. 1, it may be seen that withthis configuration, the number of reductions required is reduced, sinceany additional components resulting from reducing the topmost componentscan be added together and reduced as the lower components of the productare reduced. In addition, it is not necessary to shift the multiplicandas the partial products are composed in this configuration, or for theregister containing the partial product to be twice the length of themultiplier and multiplicand registers. Instead the register accumulatingthe partial products can be shifted to prepare it to accept the additionof the next partial product as the components of the multiplier areutilized.

[0029] To reduce the computation steps required in reducing the partialproducts (or at any other stage), the use of irreducible polynomialswith minimal non-zero coefficients are often employed. The minimalweight irreducible polynomials are those with three non-zero terms, theso-called trinomials. For a Galois field F(2^(n)), cryptographers liketo use the trinomial x^(n)+x^(k)+1. These polynomials have been proposedfor cryptography owing to their minimum feedback into the lower orderterms of the polynomial as reduction progresses.

[0030] Referring now to FIG. 2, and the discussion following, anembodiment according to the present invention is described. Table 1shows a list of values of n≦2000 for which the field F(2^(n)) has anoptimal normal basis (ONB) and in particular the list of values flaggedwith ‘*’ or ‘+’ symbols have an ONB of type I. Generally if

f ₁(x)=x ^(n) +x ^(n−1) + . . . +x ² +x+1  (6)

[0031] is irreducible over F(2), then F(2^(n)) has a type I normal basiselements 1, x, x², . . . , x^(n−1). Utilizing a type I ONB in polynomialorder, the number of feedback terms is actually maximum, since everycoefficient of the irreducible polynomial f₁(x) is one up to therequired degree. Instead of using this irreducible polynomial, we useinstead, in one embodiment, first a multiple of the irreduciblepolynomial

f ₂(x)=(x+1)f ₁(x)=x ^(n+1)+1  (7)

[0032] for the purposes of reduction. The actual irreducible f₁(x), isemployed only once as a final step to complete the reduction.

[0033] Since the polynomial f₂(x), is a multiple of the irreduciblepolynomial f₁(x), it may be used as an intermediate reductionpolynomial. The appealing feature of this intermediate reduction is theextreme simplicity of the reduction step, which consists of the takingthose components or terms of degree larger than n, and shifting themdown to the bottom of the representation, adding them in with the fieldaddition (EXOR'ing). This has the additional advantage that it may bedone on a word basis, where the mechanism on which the fieldmultiplication is to be performed operates upon words of somebit-length. For example for n=10, the irreducible polynomial isf₁(x)=x¹⁰+ . . . + x²+x+1 and the multiple of the irreducible isf₂(x)=x¹¹+1. Thus if the processor implementing the operation has a wordlength of four bits, successive partial products may be accumulateduntil the number of components exceeds n (ten in this case) and whenthese components fill a word length, they may simply be removed andEXOR'ed with the low word of the accumulated partial product. This hasthe effect of reducing with the f₂(x) polynomial.

[0034] When appropriate for the following computation, the reduction maybe completed employing the irreducible polynomial itself, that is, usingf₁(x) not f₂(x). This operation is simple and efficient as well, and isimplemented by testing the top component (bit) of the partially reduced(that is with the f₂(x)) element, and complementing every component(bit) of the result if this top-component bit is non-zero. The degree ofthe result is reduced to n−1 thereby.

[0035] In a further embodiment of the invention the multiplier may bepre-processed before the process of multiplication is initiated. Sincethe polynomial f₁(x) is equivalent to zero in the finite field, it maybe added to the multiplier without affecting the result of thecomputation. It is advantageous as regarding computational effort if thenumber of non-zero components (bits) of the multiplier are reduced.Therefore, if the number of ones in the multiplier register is greaterthan the quantity n/2, then by adding the polynomial f₁(x) to therepresentation, the number of non-zero elements will be reduced to lessthan or equal to this same quantity, since this operation of additionwill have the effect of complementing the components of therepresentation, up to the component of degree n. This complementation isalso efficiently computable on a machine that is capable of binaryoperations upon the words of the representation. As may be seen asfollows:

[0036] for example if n=10 and

f ₁(x)=x ¹⁰ +x ⁹ + . . . +x ² +x+1

[0037] and if the multiplier

b=x ⁹ +x ⁸ +x ⁶ +x ⁴ +x ³ +x ² +x ¹+1

[0038] then, modulo f₁, an equivalent but more efficient multiplier is

b′=b+f ₁ =x ¹⁰ +x ⁷ +x ⁵

[0039] As shown in FIG. 2, a schematic of a processor is indicatedgenerally by reference numeral 100, for determining the product of twofinite field elements B and C modulo an irreducible polynomial f₁(x)wherein the finite field elements B and C may be represented in terms ofan optimal normal basis of type I for a field size n over the binaryfield and having an irreducible polynomial f₁(x) of degree n.

[0040] The processor 100 includes a first and second general purposeregister 102 and 104 respectively. An accumulator register 106 isprovided and is coupled to an ALU 108 via a data path 120 and 122respectively. An output data path 124 is provided from the output of theALU to the registers and the accumulator 106. Each of the registers iscapable of bit shift operation.

[0041] The element B denoted the multiplier and which as a vector ofbinary digits b_(i), where b_(i) is the coefficient of a^(2′) in anoptimal normal basis of type I representation of B and where the b_(i)'sare in polynomial order are stored in a register 102 of length at leastn+1-bits. The element C denoted the multiplicand and which is a vectorof binary digits c_(i), where c_(i) is the coefficient of a^(2′) in anoptimal normal basis of type I representation of C and where the c_(i)'sare in polynomial order are stored in a register 104 of length at leastn+1-bits. An accumulator A is also provided for storing the partialproduct A of an ith component b_(i) of the element B and the element Cas a vector of binary digits d_(i). The accumulator A 106 has a lengthof at least n+1-bits, but may in certain instances be longer, should theprocessor be capable of word length operations. Inputs to the arithmeticlogic unit (ALU) 108 are provided from the multiplicand register 104 andthe accumulator register 106. The ALU 108 adds (EXOR) its inputs toprovide a result which is stored back in accumulator 106.

[0042] In operation, the elements B and C are stored in their respectiveregisters. A bit selector signal 110 to the multiplier register 102 isset so that the left-most bit of the multiplier is selected. Here bitsignificant increases from right to left. The bit b_(m) is selected andmultiplied with the entire contents of the multiplicand C. This resultis then added (EXOR'ed) to the contents of the accumulator A. In effectif b_(i) is 1 then B is added to the accumulator or else if b_(i) is 0then 0 may be added to the accumulator or this operation skipped. Theadd operation is controlled by an add control signal 109 to theaccumulator. The process of multiplying and adding to the accumulatorforms the partial products of each intermediate multiplication step.Next the contents of the accumulator is shifted left by applying a shiftleft signal 114 to the accumulator, which is the equivalent ofmultiplying by a factor x. The top-most bit is carried into the bottomposition of the accumulator 106, as shown by numeral 112 in FIG. 2. Themovement of the upper bit to the bottom bit position is equivalent to anintermediate reduction of the result by f₂(x) as outlined earlier. Thisprocess is repeated for successive bits of the multiplier. The carry ofthe topmost bit into the bottom position of the accumulator may bedelayed until a full word of component bits over n bits is accumulated,this overflow word may then be removed and EXORed into the bottom ofregister A. The control signals such as the add control 109, the bitselector signal 110, the shift left signal 114 and the carries may beprovided by a controller or sequencer 120.

[0043] The bit selector on the multiplier is shifter right (lesssignificant) one bit and the process repeated in the same way and foreach less significant bit of b until the bits of b are exhausted. Afterthis is complete the top-most bit of the accumulator is tested and ifset then the contents of the accumulator is inverted, which is theequivalent of reducing the final product by f₁(x). If the top-most bitis not set then the result in the accumulator is the final productmodulo the irreducible.

[0044] As mentioned earlier in a further embodiment a complement signal119 may be provided to the multiplier if the number of 1's in themultiplier is greater than n/2. More generally however, if either inputto the multiplier has more than n/2 non-zero (ones) components, thenthat input can be complemented. Thus the element with the least numberof ones may be selected as the multiplier, and this selection can alsoinclude the complements.

[0045] The square of an element may be calculated in exactly the samemanner as the multiplication described above. When multiplying anelement of a finite field with itself, simplifications occur which makethe calculation computationally much more efficient that thenon-squaring multiplication described above. The normal basisrepresentation of an element has the advantage that squaring can becomputed merely by a cyclic shift of the representation, which ismaintained in normal basis order. When memory is at a premium, this notonly has the advantage of extreme simplicity, and speed, but also allowselements to be squared (and by inverting the process, square-rooted) inplace (that is, an additional register used to contain the result is notrequired). If an element B to be squared is represented as, that is inpolynomial basis, then $\begin{matrix}{B = {\sum\limits_{i = 0}^{a}{b_{i}X^{i}}}} & (8)\end{matrix}$

[0046] The square of the element is $\begin{matrix}{B^{2} = {{\sum\limits_{i = 0}^{n/2}{b_{i}X^{2i}}} + {\sum\limits_{i = {{n/2} + 1}}^{a}{b_{i}{X^{{({i - {n/2}})} - 1}.}}}}} & (9)\end{matrix}$

[0047] The following describes an embodiment of the invention forsquaring (and also square root extraction, by inverting the process) ofa type I ONB finite field element, represented in polynomial order, inplace.

[0048] When squaring an element in a field of characteristic two, thecross-product terms all become zero since they occur twice, using thefact that 2 becomes 0 in a field of characteristic two. This has theeffect that the first stage of squaring can be computed by interleavingzeros and reducing. As in the multiplication case with non-identicalelements we will reduce first with the polynomial f₂(x). Thus continuingthe example for n=10 if the coefficients of an element B can berepresented in descending order as 01011010110, then squaring involvesinterleaving zeros to the left of each element as follows0001000101000100010100. This result may then be reduced with thepolynomial f₂(x), being the coefficients which are 0010001010, the ncomponents above the n+1 components of the interleaved component.

[0049] This unfortunately requires a double length register, or a sourceand destination register, to perform the operation. If such a doublelength register is available, then the partial reduction with f₂(x) ismade very efficient by reducing word by word, in decreasing order, aswas done in the multiplication above.

[0050] The partial reduction with f₂(x) has the advantage that,proceeding from the lowest (or zero degree) component, that thecomponents of degree [0, 1, . . . , n/2] are relocated to the evencomponents [0, 2, 4, . . . , n] in order (n is even for a type I ONB),and the remaining components [n/2+1, n/2+2, . . . , n] are relocated tothe odd components [1, 3, 5, . . . , n−1] in order, by the process ofthe squaring operation. This may also be seen from equation (9). We usethis fact to provide a second squaring operation that has the advantagethat the computation can be made in place.

[0051] For squaring in place first align the second half of therepresentation to word boundaries to that the upper portion, that is the[0, 1, . . . ,n/2] portion contributing to the odd locations, begins ona word boundary. To this effect, any unused portion of the topmost word,and perhaps one additional word may be required as the top half of thecomponents are shifted up to a word boundary. If for example a word is abyte long then a component B=01011010110 may be stored as0000101100010110. This representation may be broken up into wordsrepresented as follows:

O₁=0000, O₀=1011, e₁=0001, e₀=0110

[0052] These components interleaved with zeroes may be represented asfollows:

Ô₁=00000000, Ô₀=10001010, ê₁=00000001, ê₀=00010100

[0053] At this point, the components that will be positioned into theeven locations are all in order in the bottom half of the register (andby default, word aligned), whereas the components contributing to theodd locations are all in order in the top half of the register (alsoword aligned preferably). The components are now interleaved in place.Consider the words of the register to be paired together, the bottomword of the bottom half paired with the bottom word of the top half,with this pairing progressing upwards through the pairs.

[0054] Considering the first pair, the word in the bottom register willcontribute components to the even locations of the zeroth word of theresult, as well as the even locations of the next word of the result(numbering here starts from zero). The word in the top of the registerwill similarly contribute components to the odd locations of the zerothword of the result and the odd components of the next word of theresult. In other words, the bottom word of the pair consists of theconcatenation e₁ e₀ and the top word of the pair o₁o₀ where e₀ is thebottom half of the word (assuming the word-size is even) that willcontribute only to the even locations of the zeroth word, and e₁ willcontribute only to the even locations of the next word. The word halveso₁ o₀ similarly contribute to the odd locations of word zero and onerespectively.

[0055] Let new ê₀ be the components of e₀ interleaved with zeros so thatthe components of e₀ are in the even locations of the word, let ê₁ bethe exact same word except using the components of e₁. Similarly let ô₀have the components of o₀ positioned in the odd locations, and also ô₁.

[0056] In a further embodiment pairs of (o₁o₀, e₁ e₀) my be operatedupon to produce the pair of words (ô₁⊕ê₁, ô₀⊕ê₀). In a preferredembodiment a lookup table with half the word size may be used to producecomponents interleaved with zero. Alternately, hardware may beintroduced to perform the interleaving.

[0057] Positioning to odd locations is made thereafter with a shift ofthe word (or even locations can be produced with a shift if the table issetup to produce odd interleaved locations).

[0058] At this point the components of words are in the correct locationto produce the square, but the words themselves are not in the correctorder.

[0059] Referring to FIG. 3, where w₀ denotes the assembled value ô₀⊕ê₀.w₁ denotes ô ₁⊕ê₁ and similarly for w₂ and w₃. To complete the squaringoperation, permute the words of the register, which may involve wordread and write operations of the processor.

[0060] While the invention has been described in connection with thespecific embodiment thereof, and in a specific use, variousmodifications thereof will occur to those skilled in the art withoutdeparting from the spirit of the invention as set forth in the appendedclaims.

[0061] The terms and expressions which have been employed in thisspecification are used as terms of description and not of limitations,there is no intention in the use of such terms and expressions toexclude any equivalence of the features shown and described or portionsthereof, but it is recognized that various modifications are possiblewithin the scope of the claims to the invention. TABLE  2+ 113 293 473676* 873 1110 1310 1533 1790  3 119 299 483 683 876* 1116* 1323 15391791  4* 130* 303 490* 686 879 1118 1329 1541 1806  5 131 306 491 690882* 1119 1331 1548* 1811  6 134  30 495 700* 891 1121 1338 1559 1818  9135 316* 508* 708* 893 1122* 1341 1570* 1821  10* 138* 323 509 713 906*1133 1346 1583 1829  11 146 326 515 719 911 1134 1349 1593 1835  12*148* 329 519 723 923 1146 1353 1601 1838  14 155 330 522* 725 930 11541355 1618* 1845  18+ 158 338 530 726 933 1155 1359 1620* 1850  23 162*346* 531 741 935 1166 1370 1626 1854  26 172* 348* 540* 743 938 11691372* 1636* 1859  28* 173 350 543 746 939 1170* 1380* 1649 1860*  29 174354 545 749 940* 1178 1394 1653 1863  30 178* 359 546* 755 946* 11851398 1659 1866+  33 179 371 554 756* 950 1186* 1401 1661 1876*  35 180*372* 556* 761 953 1194 1409 1666* 1883  36* 183 375 558 765 965 11991418 1668* 1889  39 186 378+ 561 771 974 1211 1421 1673 1898  41 189378* 562* 772* 975 1212* 1425 1679 1900*  50 191 386 575 774 986 12181426* 1685 1901  51 194 388* 585 779 989 1223 1430 1692* 1906*  52* 196*393 586* 783 993 1228* 1439 1703 1923  53 209 398 593 785 998 1229 14431706 1925  58* 210+ 410 606 786* 1013 1233 1450* 1730 1926  60* 221 411611 791 1014 1236* 1451 1732* 1930*  65 226* 413 612* 796* 1018* 12381452* 1733 1931  66* 230 414 614 803 1019 1251 1454 1734 1938  69 231418* 615 809 1026 1258* 1463 1740* 1948*  74 233 419 618+ 810 1031 12651469 1745 1953  81 239 420* 629 818 1034 1269 1478 1746* 1955  82* 243426 638 820* 1041 1271 1481 1749 1958  83 245 429 639 826* 1043 12741482* 1755 1959  86 251 431 641 828* 1049 1275 1492* 1758 1961  89 254438 645 831 1055 1276* 1498* 1763 1965  90 261 441 650 833 1060* 12781499 1766 1972*  95 268* 442* 651 834 1065 1282* 1505 1769 1973  98 270443 652* 846 1070 1289 1509 1773 1978*  99 273 453 653 852* 1090* 1290*1511 1778 1983 100* 278 460* 658* 858* 1103 1295 1518 1779 1986* 105 281466* 659 866 1106 1300* 1522* 1785 1994 106* 292* 470 660* 870 1108*1306* 1530* 1786* 1996*

The embodiments of the invention in which an exclusive property orprivilege is claimed are defined as follows:
 1. A computer system fordetermining the product of two finite field elements B and C modulo anirreducible polynomial f₁(x), wherein the finite field elements B and Care represented in terms of an optimal normal basis (ONB) of Type 1 overa field F₂ _(^(n)) and said irreducible polynomial f₁(x) being of degreen, comprising: (a) a memory containing a first vector of binary digitsb_(i), where b_(i) is a co-efficient of the i^(th) basis element of saidONB representation of element B, arranged in polynomial order;  a secondvector of binary digits c_(i), where c_(i) is a co-efficient the i^(th)basis element of said ONB representation of element C, arranged inpolynomial order;  a computer program having functions for invocation,said functions for computing a partial product of a multiplier with amultiplicand and for reducing said partial product by a multiple of saidirreducible polynomials f₁(x); (b) a control program for invoking saidfunctions; and (c) a processor for running said computer program.
 2. Amethod of determining the product of two finite field elements B and Cmodulo an irreducible polynomial f₁(x) in a computer system having acomputer program with functions for invocation and a control program forinvoking said functions, said finite field elements B and C beingrepresented in terms of an optimal normal basis of Type 1 over a fieldF₂ _(^(n)) and said irreducible polynomial f₁(x) being of degree n, andsaid field elements B and C being represented as a vector of binarydigits, each digit being the co-efficient of the elements arranged inpolynomial order, said method comprising: (a) invoking a function tocompute the partial product of said element B with a selected digit ofsaid element C; (b) monitoring an overflow bit of said partial products;(c) invoking a function for reducing said partial products by a multiplef₂(x) of the irreducible f₁(x) when said overflow occurs and deriving areduced partial product therefrom; (d) adding said reduced partialproduct to said successive partial product; (e) continuing said steps(c) and (d) for successive digits of said element C to derive a finalproduct; (f) reducing said final product by said irreducible f₁(x) ifsaid n^(th) bit is set.
 3. A method of computing the product D of twofinite field elements B and C modulo an irreducible polynomial f₁(x),wherein the finite field elements B and C are represented in terms of anoptimal normal basis (ONB) of Type 1 over a field F₂ _(^(n)) and saidirreducible polynomial f₁(x) being of degree n, said method comprisingthe steps of: (a) representing the element B as a vector of binarydigits b_(i), where b_(i) is a co-efficient of an i^(th) basis elementof said ONB representation of element B, in polynomial order; (b)representing said element C as a vector of binary digits c_(i), wherec_(i) is a co-efficient of an i^(th) basis element of said ONBrepresentation of element C, arranged in polynomial order; (c)initializing a register A; (d) selecting a digit c_(i) of said vector C;(e) computing a partial product vector A of said i^(th) digit c_(i) ofsaid element C and the vector B; (f) adding said partial product to saidregister A; (g) shifting said register A (h) reducing said partialproduct A by a multiple f₂(x) of the irreducible polynomial f₁(x) ifbits in a position above n are set; (i) storing said reduced partialproduct in said register A; (j) repeating said steps (e) to (h) for eachof said successive bit of said vector C and upon completion saidregister A containing a final product vector; and (k) reducing saidfinal product vector A by said irreducible polynomial f₁(x) if an n^(th)bit of said register is set.
 4. A method as defined in claim 3 , saidreducing said partial product A includes shifting said bits greater thann to said lower most bit positions and adding said bits thereto.
 5. Amethod as defined in claim 4 , said shifting being performed on a wordlength of bits.
 6. A method as defined in claim 5 , said adding being anXORing.
 7. A method as defined in claim 3 , said reducing said partialproduct A includes testing said (n+1)th bit and shifting said bit saidlower most bit positions and adding said bit thereto.
 8. A method asdefined in claim 3 , including storing said vector B in a register.
 9. Amethod as defined in claim 3 , said multiple f₂(x) being represented byf₂(x)=(x+1)f₁(x).
 10. A method as defined in claim 3 , said reducingsaid final partial product A comprises complementing said component bitsto thereby reduce said result to degree (n−1).
 11. A method as definedin claim 3 , including the step of adding said irreducible f₁(x) to saidvector B if the number of ones (1) bits of said vector is greater thann/2.
 12. A method as defined in claim 11 , said step comprisingcomplementing said bits upto said component of degree n.
 13. A method asdefined in claim 3 , said bits c_(i) being selected in decreasingsignificance.
 14. A method as defined in claim 3 , said I^(th) basiselement having a form a^(2′).
 15. A finite field multiplier forcomputing the product D of two finite field elements B and C modulo anirreducible polynomial f₁(x), wherein the finite field elements B and Care represented in terms of an optimal normal basis (ONB) of Type 1 overa field F₂ _(^(n)) and said irreducible polynomial f₁(x) being of degreen, comprising: a) a register B for holding the digits b_(i) of a vectorof binary digits b_(i), where b_(i) is a co-efficient of an i^(th) basiselement of said ONB representation of said element B, arranged inpolynomial order; b) an shift register A for holding a result of saidcomputation and of size at least greater than the degree n of the finitefield and for shifting its contents in response to a shift controlsignal; c) means for sequentially selecting digits c_(i) of a vector ofbinary digits c_(i), where c_(i) is a co-efficient of an i^(th) basiselement of said ONB representation of said element C, arranged inpolynomial order, and for generating an add control signal in responseto said digit c_(i) being set; and d) an arithmetic logic unit (ALU)having a finite field adder circuit responsive to said add controlsignal, for adding said register B and said register A received asvectors of binary digit inputs and outputting a result of said additionto said shift register A thereby computing a partial product vector A ofsaid i^(th) digit c_(i) of said element C and the vector B while addingsaid result to a previous partial product in said register A and wherebysaid successive partial products may be reduced by a multiple f₂(x) ofthe irreducible polynomial f₁(x) if bits (n+1) or greater are set byshifting said upper (n+1) bits to a lowermost (n+1) bits of saidregister A; said reduced partial products being computed for successivecomponents of said vector C and upon completion said register Acontaining a final product vector and said final product vector A beingreduced by said irreducible polynomial f₁(x) if an n^(th) bit of saidregister is set by applying said complement signal such that saidregister A represents said product of said two finite field elements Band C modulo f₁(x).
 16. A method of squaring a finite element B moduloan irreducible polynomial f₁(x), wherein the finite field elements B isrepresented in terms of an optimal normal basis (ONB) of Type 1 over afield F₂ _(^(n)) and said irreducible polynomial f₁(x) being of degreen, said method comprising the steps of: a) representing the element B asa vector of binary digits b_(i), where b_(i) is a co-efficient thei^(th) basis element of said ONB representation of element B, arrangedin polynomial order; b) interleaving the binary digits of therepresentation of element B with zero digits to derive a square thereof;c) storing in successive cells of a 2n cell shift register the binarydigits of the interleaved representation of the element B; d) reducingsaid square by a multiple f₂(x) of the irreducible polynomial f₁(x). 17.A method as defined in claim 16 , said reduction is a cyclic shift of anupper n bits to the lower n bits.
 18. A method of squaring a finiteelement B modulo an irreducible polynomial f₁(x), wherein the finitefield elements B is represented in terms of an optimal normal basis(ONB) of Type 1 over a field F₂ _(^(n)) and said irreducible polynomialf₁(x) being of degree n, said method comprising the steps of: a)representing the element B as a vector of n binary digits b_(i), whereb_(i) is a co-efficient the i^(th) basis element of said ONBrepresentation of element B, arranged in decreasing polynomial order; b)selecting successive word length sets of said representation; c)interleaving the binary digits of each said words with zero digits; d)storing an xor of alternate sets of interleaved words in a register forall such sets; and e) permuting said stored words to derive a square ofsaid element B therefrom.